Authentication with Buffer is the first step in building your app.
Buffer is an OAuth 2.0 provider. We recommend using one of the many great OAuth 2.0 libraries to do the heavy lifting!
All of the Buffer API endpoints require authentication. To get an
access_token you must first have a regstered application. Please note: Buffer no longer supports the creation of new developer apps.
A good OAuth library will handle most of these steps for you. You should only need to supply a client ID and secret.
First, redirect your user to the authorize endpoint. Note, the
redirect_uri must match the Callback URL given when your app was registered.
GET https://bufferapp.com/oauth2/authorize? client_id=...& redirect_uri=...& response_type=code
The user will then approve or deny the request to authorize your application. At this point they will be redirected back to the redirect_uri location with an authorization code or error message as a query parameter. This should look something like:
Note: If you only need a single access token, we will automatically generate that for you after you have created an app.
Your app should swap the authorization code for an access token by
POSTing it along with your
grant_type=authorization_code to our token endpoint. Note, a code is valid for 30 seconds only - this swap should be performed as soon as the code is received. Also note that the code parameter must not be url encoded - ie. it should be formatted like
1/mWot20jTwojsd00jFlaaR45 and not
POST https://api.bufferapp.com/1/oauth2/token.json POST Data client_id=...& client_secret=...& redirect_uri=...& code=...& grant_type=authorization_code
If your request is successful we will return a long-lived access token which can be used to access the users account details for all further api requests.
All requests to the Buffer API must be made using HTTPS, with the access token provided in the HTTP Authorization header, request body or query string. For example, using the query string:
The implementation is based on version 20 of the IETF draft.
To deauthorize your client, see /user/deauthorize.